January 2018 Code Aurora Security Bulletin

Version 1.1

Published: 01/25/2018
Updated: Feb. 8, 2018

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11003, CVE-2017-11066, CVE-2017-11069, CVE-2017-11079, CVE-2017-11080, CVE-2017-14869, CVE-2017-14870, CVE-2017-9712 derrek (https://twitter.com/derrekr6)
CVE-2017-9689 Tim Strazzere (@timstrazz)
CVE-2017-14873 Peter Pi of Tencent Security Platform Department
CVE-2017-9705 Jianqiang Zhao (jianqiangzhao)
CVE-2017-11081 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-15849 High Display Internal
CVE-2017-11069 High Trusted Execution Environment 5/27/2017
CVE-2017-11003 Medium Boot 3/13/2017
CVE-2017-9712 Medium WLAN HOST 3/24/2017
CVE-2017-9689 Medium Display 3/28/2017
CVE-2017-14873 Medium Display 4/30/2017
CVE-2017-9705 Medium Qualcomm IPC 5/9/2017
CVE-2017-14869 Medium Boot 5/27/2017
CVE-2017-14870 Medium Boot 5/27/2017
CVE-2017-11066 High Boot 4/27/2017
CVE-2017-15847 High Trusted Execution Environment Internal
CVE-2017-15845 Medium WLAN HOST 2/28/2017
CVE-2017-15848 High DSP Service Internal
CVE-2017-11081 Medium WLAN HOST 7/11/2017
CVE-2017-11080 Medium Boot 7/16/2017
CVE-2017-11079 Medium Boot 7/16/2017

CVE-2017-15849

CVE ID CVE-2017-15849
Title Use After Free in Display
Description A LayerStack can be destroyed in between Validate and Commit by the application resulting in a Use After Free condition.
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/1/2017
Patch

CVE-2017-11069

CVE ID CVE-2017-11069
Title Buffer Copy without Checking Size of Input in Core
Description Manipulation of SafeSwitch Image data can result in Heap overflow.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 5/27/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-11003

CVE ID CVE-2017-11003
Title Improper Input Validation in Boot
Description While updating a firmware image, data is read from flash into RAM without checking that the data fits into allotted RAM size.
Technology Area Boot
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 3/13/2017
Customer Notified Date 8/7/2017
Patch

CVE-2017-9712

CVE ID CVE-2017-9712
Title Information Exposure in WLAN
Description If userspace provides a too-large IE length in wlan_hdd_cfg80211_set_ie, a buffer over-read occurs.
Technology Area WLAN HOST
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 3/24/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-9689

CVE ID CVE-2017-9689
Title Buffer Copy without Checking Size of Input in Display
Description A specially-crafted HDMI CEC message can be used to cause stack memory corruption.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 3/28/2017
Customer Notified Date 7/3/2017
Patch

CVE-2017-14873

CVE ID CVE-2017-14873
Title Improper Input Validation in Display
Description In the pp_pgc_get_config() graphics driver function, a kernel memory overwrite can potentially occur.
Technology Area Display
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 4/30/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-9705

CVE ID CVE-2017-9705
Title Double Free in Core
Description Concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping and corrupting the next and previous pointers.
Technology Area Qualcomm IPC
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 5/9/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14869

CVE ID CVE-2017-14869
Title Information Exposure in Boot
Description While performing update of FOTA partition, uninitialized data can be pushed to storage.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 5/27/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-14870

CVE ID CVE-2017-14870
Title Information Exposure in Boot
Description While updating the recovery message for eMMC devices, 1088 bytes of stack memory can potentially be leaked.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 5/27/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11066

CVE ID CVE-2017-11066
Title Buffer Copy without Checking Size of Input in Boot
Description While flashing ubi image an uninitialized memory could be accessed.
Technology Area Boot
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 4/27/2017
Customer Notified Date 9/1/2017
Patch

CVE-2017-15847

CVE ID CVE-2017-15847
Title Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description In the SPCom kernel driver, a race condition exists when creating a channel.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017
Patch

CVE-2017-15845

CVE ID CVE-2017-15845
Title Integer Underflow in WLAN
Description An invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation.
Technology Area WLAN HOST
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Local
Security Rating Medium
Date Reported 2/28/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-15848

CVE ID CVE-2017-15848
Title Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”) in Multimedia
Description In the fastrpc kernel driver, a buffer overflow vulnerability from userspace may potentially exist.
Technology Area DSP Service
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017
Patch

CVE-2017-11081

CVE ID CVE-2017-11081
Title Buffer Copy without Checking Size of Input in WLAN
Description There is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can hold maximum 32 bytes but data more than 32 bytes can get copied.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 7/11/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11080

CVE ID CVE-2017-11080
Title Configuration Vulnerability in Boot
Description While processing a user supplied sparse image, a buffer overflow vulnerability could occur if the sparse header block size is equal to 4294967296.
Technology Area Boot
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating Medium
Date Reported 7/16/2017
Customer Notified Date 10/2/2017
Patch

CVE-2017-11079

CVE ID CVE-2017-11079
Title Information Exposure in Boot
Description While processing sparse image, uninitialized heap memory can potentially be flashed due to the lack of validation of sparse image block header size.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 7/16/2017
Customer Notified Date 10/2/2017
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 January 25, 2018 Bulletin Published
1.1 February 8, 2018 Removed duplicate CVE